Certificate Translation in Abstract Interpretation Gilles Barthe and - - PowerPoint PPT Presentation

Certificate Translation in Abstract Interpretation

Gilles Barthe and C´ esar Kunz

Inria

April 2, 2008

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 1 / 25

Motivation: source code verification

Traditional PCC

Producer Consumer

Proof Checker OK Source Program Compiler VCGen Verification Conditions Prover Certificate Execution VCGen Verification Conditions Compiled Program

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 2 / 25

Motivation: source code verification

Source Code Verification

VCGen Verification Conditions Prover Certificate

Producer Consumer

Proof Checker OK Source Program Compiler Execution VCGen Verification Conditions Compiled Program

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 2 / 25

Motivation: source code verification

Certificate Translation

VCGen Verification Conditions Prover Certificate Certificate Certificate Translator

Producer Consumer

Proof Checker OK Source Program Compiler Execution VCGen Verification Conditions Compiled Program

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 2 / 25

Certificate translation vs certifying compilation

Program Source Compiler VCGen Verification Conditions Prover Proof Checker Certificate VCGen Verification Conditions Compiled Program OK Execution Program Source VCGen Verification Conditions Prover Certificate Certificate Compiler Proof Checker VCGen Verification Conditions Compiled Program OK Execution Certificate Translator

Conventional PCC Certificate Translation Automatically in- ferred invariants Specification Interactive Automatic certifying compiler Verification Interactive source verification Safety Properties Complex func- tional properties

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 3 / 25

An Abstract Model for Certificate Translation

particular language particular VCgen particular program

• ptimizations

       hard to generate a single unify- ing framework Model: Abstract interpretation of low step trace semantics

1 we show:

interactive verification automatic program analysis

• instances of the same abstract

model.

2 study their interaction in certificate translation Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 4 / 25

Program Representation

c := 1 x′ := x y′ := y while (y′ = 1) do if (y′ mod 2 = 1) then c := c × x′ fi done x′ = x′ × c Program: directed graph Nodes denoting execution points (N). Edges denoting possible transitions between nodes (E).

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 5 / 25

Abstract Interpretation

Program semantics

l1 l2 l3 l5

. . . . . .

lf {η1, η′

1, η′′ 1}

{η2, η′

2}

{η3} {η′

5}

{ηf, η′

f, η′′ f }

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 6 / 25

Abstract Interpretation

Program semantics Abstract representation

l1 l2 l3 l5

. . . . . .

lf {η1, η′

1, η′′ 1}

{η2, η′

2}

{η3} {η′

5}

{ηf, η′

f, η′′ f }

l1 l2 l3 l5

. . . . . .

lf a1 a2 a3 a5 af

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 6 / 25

Solution of an Abstract Interpretation

D = D, ⊑, ⊓, . . ., Tli,lj : D → D a transfer function (for any edge li, lj)

l1 l2 l3 l5

. . . . . .

lf a1 a2 a3 a5 af

{a1, a2, . . . , af} a solution of (D, T) if: Tl1,l2(a1) ⊑ a2 Tl2,l5(a2) ⊑ a5 Tl1,lf(a1) ⊑ af . . .

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 7 / 25

Example of decidable solution (e.g. constant propagation)

(D, T): constant analysis

i:=0 x:=b+i i = n i=c+i j:=x.i i = 0

⊥ (i, 0) (x, b) (x, b) (x, b) ⊥

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 8 / 25

Example of non-decidable solution (e.g. program verification)

(D, T): weakest precondition calculus

i:=0 x:=b+i i = n i=c+i j:=x.i i = 0

{j = 0} {j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i} {Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i} {x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i} {j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i} {n ∗ b ≤ j}

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 9 / 25

Galois connections captures notion of imprecision

In the following (intuition): (D, T): weakest precondition based verification framework (D♯, T ♯): static analysis that justifies a program optimization.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 10 / 25

Consistency of T ♯ w.r.t. T

T(γ(a)) ⊑ γ(T ♯(a))

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 11 / 25

Consistency of T ♯ w.r.t. T

T(γ(a)) ⊑ γ(T ♯(a)) Smaller elements: more information

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 11 / 25

Consistency of T ♯ w.r.t. T

l1 l2 l3 l5

. . . . . .

lf a1 a2 a3 a5 af l1 l2 l3 l5

. . . . . .

lf γ(a1) γ(a2) γ(a3) γ(a5) γ(af)

Result: {a1, a2 . . . an} a solution of (D♯, T ♯), then {γ(a1), γ(a2) . . . γ(an)} is a solution of (D, T).

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 12 / 25

A Primer on Certificate Translation

x:=4 y:=x x=y? x = y?

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 13 / 25

A Primer on Certificate Translation

D:logic formulae

x:=4 y:=x x=y? x = y? true x ≥ 0 true false

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 13 / 25

A Primer on Certificate Translation

D♯:const. analysis D:logic formulae

x:=4 y:=x x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . .

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 13 / 25

A Primer on Certificate Translation

D♯:const. analysis D:logic formulae

x:=4 y:=x x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . . x:=4 y:=4 x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . .

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 13 / 25

A Primer on Certificate Translation

D♯:const. analysis D:logic formulae

x:=4 y:=x x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . . x:=4 y:=4 x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . .

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 13 / 25

A Primer on Certificate Translation

Key Idea sufficiently strong solution ↔ preservation along transformations

x:=4 y:=x x=y? x = y? true x ≥ 0 true false ⊤ (x, 4) (x, 4), (y, 4) . . . . . .

{a1 . . . an} solution of (D♯, T ♯)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 14 / 25

A Primer on Certificate Translation

Key Idea sufficiently strong solution ↔ preservation along transformations

x:=4 y:=x x=y? x = y? true x ≥ 0 true false γ(⊤) γ((x, 4)) γ((x, 4), (y, 4)) . . . . . .

{a1 . . . an} solution of (D♯, T ♯) {γ(a1) . . . γ(an)} solution of (D, T)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 14 / 25

A Primer on Certificate Translation

Key Idea sufficiently strong solution ↔ preservation along transformations

x:=4 y:=x x=y? x = y? true x ≥ 0 true false true x = 4 x = 4 ∧ y = 4 . . . . . .

{a1 . . . an} solution of (D♯, T ♯) {γ(a1) . . . γ(an)} solution of (D, T)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 14 / 25

A Primer on Certificate Translation

Key Idea sufficiently strong solution ↔ preservation along transformations

x:=4 y:=x x=y? x = y? true x ≥ 0 true false true x = 4 x = 4 ∧ y = 4 . . . . . .

{a1 . . . an} solution of (D♯, T ♯) {γ(a1) . . . γ(an)} solution of (D, T) {a1 . . . an} solution of (D, T) {b1 . . . bn} solution of (D, T) {a1 ⊓ b1 . . . an ⊓ bn} solution of (D, T)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 14 / 25

Certified Setting

(ai)i∈N a solution of (D, T)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 15 / 25

Certified Setting

(ai)i∈N a solution of (D, T) ⊑ is undecidable, e.g. D =logic formulae

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 15 / 25

Certified Setting

(ai)i∈N a solution of (D, T) ⊑ is undecidable, e.g. D =logic formulae ⊑ is costly to check.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 15 / 25

Proof Algebra

Abstract Certificate Algebra C: if c ∈ C(⊢ a ⊑ a′) then a ⊑ a′.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 16 / 25

Proof Algebra

Abstract Certificate Algebra C: if c ∈ C(⊢ a ⊑ a′) then a ⊑ a′. axiom : C(⊢ a ⊑ a) weak⊓ : C(⊢ a ⊑ b) → C(⊢ a ⊓ c ⊑ b) weak⊔ : C(⊢ a ⊑ b) → C(⊢ a ⊑ b ⊔ c) elim⊓ : C(⊢ c ⊓ a ⊑ b) → C(⊢ c ⊑ a) → C(⊢ c ⊑ b) intro⊔ : C(⊢ a ⊑ c) → C(⊢ b ⊑ c) → C(⊢ a ⊔ b ⊑ c) intro⊓ : C(⊢ a ⊑ b) → C(⊢ a ⊑ c) → C(⊢ a ⊑ b ⊓ c)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 16 / 25

Certified Solutions

Definition {a1 . . . an}, c is a certified solution if for any edge i, j c(i, j) ∈ C(⊢ Ti,j(ai) ⊑ aj)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 17 / 25

Certified Solutions

Definition {a1 . . . an}, c is a certified solution if for any edge i, j c(i, j) ∈ C(⊢ Ti,j(ai) ⊑ aj) if ({a1 . . . an}, ca) and ({b1 . . . bn}, cb) are certified solutions of D, then ({a1 ⊓ b1 . . . an ⊓ bn}, ca ⊕ cb) is a certified solution.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 17 / 25

Certified Solutions

Definition {a1 . . . an}, c is a certified solution if for any edge i, j c(i, j) ∈ C(⊢ Ti,j(ai) ⊑ aj) if ({a1 . . . an}, ca) and ({b1 . . . bn}, cb) are certified solutions of D, then ({a1 ⊓ b1 . . . an ⊓ bn}, ca ⊕ cb) is a certified solution. if {a1 . . . an} is a solution of (D♯, T ♯), and cons s.t. for any edge i, j consi,j ∈ C(⊢ Ti,j(γ(a)) ⊑ γ(T ♯

i,j(a)))

then ({γ(a1) . . . γ(an)}, c) is a certified solution of (D, T) [for some c].

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 17 / 25

Program Transformation

l1 l2 l3 l4 l5 l1 l2 l3 l4 l5

Te → T ′

e, e ∈ E

a proof of T ′

l2,l3( ) ⊑ a3 ⊓ Tl2,l3( )

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 18 / 25

Program Transformation

l1 l2 l3 l4 l5 l1 l2 l3 l4 l5

Te → T ′

e, e ∈ E

a proof of T ′

l2,l3( ) ⊑ a3 ⊓ Tl2,l3( )

const and copy propag / loop induction var strength reduction /

• common. subexpr elimination / etc.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 18 / 25

Code Duplication

l1 l2 l3 l4 l5 l1

l′

2

l′

3

l2 l3 l4 l5

loop unrolling / function inlining

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 19 / 25

Node Coalescing

l1 l2 l3 l4 l5 l6 l7 l8 l1 l2 l345 l6 l7 l8

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 20 / 25

In practice, Certificate Translation will

compute the analysis result that ensures that the transformation is semantics preserving: S♯

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 21 / 25

In practice, Certificate Translation will

compute the analysis result that ensures that the transformation is semantics preserving: S♯ certify a representation of the analysis: (γ ◦ S♯, ca)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 21 / 25

In practice, Certificate Translation will

compute the analysis result that ensures that the transformation is semantics preserving: S♯ certify a representation of the analysis: (γ ◦ S♯, ca) certify that γ ◦ S♯ justifies the transformation: justif

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 21 / 25

In practice, Certificate Translation will

compute the analysis result that ensures that the transformation is semantics preserving: S♯ certify a representation of the analysis: (γ ◦ S♯, ca) certify that γ ◦ S♯ justifies the transformation: justif merges the original certified solution (S, c) with (γ ◦ S♯, ca) and justif to generate a certified solution (S ⊓ γ ◦ S♯, c ⊕ ca ⊕ justif)

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 21 / 25

Conclusions

proposed an abstract model of both program analysis and program verification

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 22 / 25

Conclusions

proposed an abstract model of both program analysis and program verification extended this model with a notion of certificates

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 22 / 25

Conclusions

proposed an abstract model of both program analysis and program verification extended this model with a notion of certificates studied certifying analyzers and certificate translators in this model

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 22 / 25

Conclusions

proposed an abstract model of both program analysis and program verification extended this model with a notion of certificates studied certifying analyzers and certificate translators in this model identify requirements over the analysis and the transformation that can be instantiated to particular frameworks.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 22 / 25

Conclusions

proposed an abstract model of both program analysis and program verification extended this model with a notion of certificates studied certifying analyzers and certificate translators in this model identify requirements over the analysis and the transformation that can be instantiated to particular frameworks. Thank you.

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 22 / 25

Example

Figure: Annotated program Figure: Program after loop unrolling

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 23 / 25

Example

Figure: Program after loop unrolling Figure: Program after optimizing transformations

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 24 / 25

Example

Figure: Program after optimizing transformations Figure: Node coalescing and dead assignment elimination

Gilles Barthe and C´ esar Kunz (Inria) Certificate Translation in A. I. April 2, 2008 25 / 25